Friday, 4 August 2017

Transferring personal data outside the EU: Clarification from the ECJ?

Canadian law
required airlines, in the interests of the fight against serious crime and
terrorism, to provide certain information about passengers (API/PNR data),
which obligation required airlines under EU data protection regulations to
transfer data to outside the EU. The PNR
data includes the names of air passengers, the dates of intended travel, the
travel itinerary, and information relating to payment and baggage. The PNR data
may reveal travel habits, relationships between two individuals, information on
the financial situation or the dietary habits of individuals. To regularise the
transfer of data, and to support police cooperation, the EU negotiated an
agreement with Canada specifying the data to be transferred, the purposes for
which the data could be used, as well as some processing safeguard provisions
(e.g. use of sensitive data, security obligations, oversight requirements,
access by passengers). The data was
permitted to be retained for five years, albeit in a depersonalised form. Further disclosure of the data beyond Canada
and the Member States was permitted in limited circumstances. The European Parliament requested an opinion
from the Court of Justice under Article 218(11) TFEU as to whether the
agreement satisfied fundamental human rights standards and whether the
appropriate Treaty base had been used for the agreement.

Opinion

The Court noted
that the agreement fell within the EU’s constitutional framework, and must
therefore comply with its constitutional principles, including (though this
point was not made express), respect for fundamental human rights (whether as a
general principle or by virtue of the EU Charter – the EUCFR).

After dealing
with questions of admissibility, the Court addressed the question of
appropriate Treaty base. It re-stated existing principles (elaborated, for
example, in Case
C‑263/14Parliament v Council, judgment 14
June 2016, EU:C:2016:435) with regard to choice of Treaty base generally: the
choice must rest on objective factors (including the aim and the content of
that measure) which are amenable to judicial review. In this context the Court found that the
proposed agreement has two objectives: safeguarding public security; and
safeguarding personal data [opinion, para 90].
The Court concluded that the two objectives were inextricably linked:
while the driver for the need to PNR data was protection of public security,
the transfer of data would be lawful only if data protection rules were
respected [para 94]. Therefore, the
agreement should be based on both Article 16(2) (data protection) and Article
87(2)(a) TFEU (police cooperation). It
held, however, that Article 82(1)(d) TFEU (judicial cooperation) could not be
used, partly because judicial authorities were not included in the agreement.

Looking at the
issue of data protection, the Court re-stated the question as being ‘on the
compatibility of the envisaged agreement with, in particular, the right to
respect for private life and the right to the protection of personal data’
[para 119]. It then commented that
although both Article 16 TFEU and Article 8 EUCFR enshrine the right to data
protection, in its analysis it would refer to Article 8 only, because that
provision lays down in a more specific manner the conditions for data
processing. The agreement refers to the
processing of data concerning identified individuals, and therefore may affect the
fundamental right to respect for private life guaranteed in Article 7 EUCFR as
well as the right to protection to personal data in Article 8 EUCFR. The Court
re-iterated a number of principles regarding the scope of the right to private
life:

‘the
communication of personal data to a third party, such as a public authority,
constitutes an interference with the fundamental right enshrined in
Article 7 of the Charter, whatever the subsequent use of the information
communicated. The same is true of the retention of personal data and access to
that data with a view to its use by public authorities. In this connection, it
does not matter whether the information in question relating to private life is
sensitive or whether the persons concerned have been inconvenienced in any way
on account of that interference’ [para 124].

The transfer of
PNR data and its retention and any use constituted an interference with both
Article 7 [para 125] and Article 8 EUCFR [para 126]. In assessing the
seriousness of the interference, the Court flagged ‘the systematic and
continuous’ nature of the PNR system, the insight into private life of
individuals, the fact that the system is used as an intelligence tool and the
length of time for which the data is available.

Interferences with these rights may be justified. Nonetheless, there are
constraints on any justification: Article 8(2) of the EU Charter specifies that processing
must be ‘for specified purposes and on the basis of the consent of the person
concerned or some other legitimate basis laid down by law’; and, according to
Article 52(1) of the EU Charter, any limitation must be provided for by
law and respect the essence of those rights and freedoms. Further, limitations must
be necessary and genuinely meet objectives of general interest recognised by
the Union or the need to protect the rights and freedoms of others.

Following WebMindLicenses
(Case C‑419/14, judgment of 17 December 2015, EU:C:2015:832,
para 81), the law that permits the interference should also set down the
extent of that interference. Proportionality requires that any derogation from
and limitation on the protection of personal data should apply only insofar as
is strictly necessary. To this end and to prevent the risk of abuse, the
legislation must set down ‘clear and precise rules governing the scope and
application of the measure in question and imposing minimum safeguards’,
specifically ‘indicat[ing] in what circumstances and under which conditions a
measure providing for the processing of such data may be adopted’ [para 141],
especially when automated processing is involved.

The Court
considered whether there was a legitimate basis for the processing, noting that
although passengers may be said to consent to the processing of PNR data, this
consent related to a different purpose. The transfer of the PNR data is not
conditional on the specific consent of the passengers and must therefore be
grounded on some other basis, within the terms of Article 8(2) EUCFR. The Court
rejected the Parliament’s submission that the meaning of ‘law’ be restricted to
‘legislative act’ internally. The Court, following the reasoning of the
Advocate General, found that in this regard the international agreement was the
external equivalent of the legislative act.

In line with its
previous jurisprudence, the Court accepted that public security is an objective
of public interest capable of justifying even serious interferences with
Articles 7 and 8 EUCFR. It also noted that everybody has the right to security
of the person (Art. 6 EUCFR), though this point was taken no further. The Court
considered that PNR data revealed only limited aspects of a person’s private
life, so that the essence of the right was not adversely affected [para 151].
In principle, limitation may then be possible. The Court accepted that PNR data
transfer was appropriate, but not that the test of necessity was satisfied. It
agreed with the Advocate General that the categories of data to be transferred
were not sufficiently precise, specifically ‘available frequent flyer and
benefit information (free tickets, upgrades, etc.)’, ‘all available contact
information (including originator information)’ and ‘general remarks including
Other Supplementary Information (OSI), Special Service Information (SSI) and
Special Service Request (SSR) information’. Although the agreement required the
Canadian authorities to delete any data transferred to them which fell outside
these categories, this obligation did not compensate for the lack of precision
regarding the scope of these categories.

The Court noted
that the agreement identified a category of ‘sensitive data’; it was therefore
to be presumed that sensitive data would be transferred under the agreement.
The Court then reasoned:

any measure based on the premiss that one or more of the
characteristics set out in Article 2(e) of the envisaged agreement may be
relevant, in itself or in themselves and regardless of the individual conduct
of the traveller concerned, having regard to the purpose for which PNR data is to
be processed, namely combating terrorism and serious transnational crime, would
infringe the rights guaranteed in Articles 7 and 8 of the Charter, read in
conjunction with Article 21 thereof [para 165]

Additionally,
any transfer of sensitive data would require a ‘precise and particularly solid’
reason beyond that of public security and prevention of terrorism. This justification
was lacking. The transfer of sensitive data and the framework for the use of
those data would be incompatible with the EU Charter [para 167].

While the
agreement tried to limit the impact of automated decision-making, the Court
found it problematic because of the need to have reliable models on which the
automated decisions were made. These models, in the view of the Court, must
produce results that identify persons under a ‘reasonable suspicion’ of
participation in terrorist offences or serious transnational crime and should
be non-discriminatory. Models/databases should also be kept up-to-date and
accurate and subject to review for bias. Because of the error risk, all
positive automated decisions should be individually checked.

In terms of the
purposes for processing the data, the definition of terrorist offences and
serious transnational crime were sufficiently clear. There were however other
provisions, allowing case-by-case assessment.
These provisions (Article 3(5)(a) and (b) of the treaty) were found to
be too vague. By contrast, the Court
determined that the authorities who would receive the data were sufficiently
identified. Further, it accepted that the transfer of data of all passengers,
whether or not they were identified as posing a risk or not, does not exceed
what is necessary as passengers must comply with Canadian law and ‘the identification,
by means of PNR data, of passengers liable to present a risk to public security
forms part of border control’ [para 188].

Relying on its recent
judgment in Tele2/Watson (Joined
Cases C‑203/15 and C‑698/15, EU:C:2016:970), which I discussed here,
the Court reiterated that there must be a connection between the data retained
and the objective pursued for the duration of the time the data are held, which
brought into question the use of the PNR data after passengers had disembarked
in Canada. Further, the use of the data
must be restricted in accordance with those purposes. However,

where there is objective evidence from which it may be inferred that
the PNR data of one or more air passengers might make an effective contribution
to combating terrorist offences and serious transnational crime, the use of
that data does not exceed the limits of what is strictly necessary [para 201].

Following
verification of passenger data and permission to enter Canadian territory, the
use of PNR data during passengers’ stay must be based on new justifying circumstances.
The Court expected that this should be subject to prior review by an
independent body. The Court held that the agreement did not meet the required
standards. Similar points were made,
even more strongly, in relation to the use of PNR data after the passengers had
left Canada. In general, this was not strictly necessary, as there would no
longer be a connection between the data and the objective pursued by the PNR
Agreement such as to justify the retention of their data. PNR data may be
stored in Canada, however, when particular passengers present a risk of
terrorism of serious transnational crime. Moreover, given the average lifespan
of international serious crime networks and the duration and complexity of
investigations relating to them, the Court did not hold that the retention of
data for five years went beyond the limits of necessity [para 209].

The agreement
allows PNR data to be disclosed by the Canadian authority to other Canadian
government authorities and to government authorities of third countries. The
recipient country must satisfy EU data protection standards; an international
agreement between the third country and the EU or an adequacy decision would be
required. There is a further, unlimited and ill-defined possibility of disclosure
to individuals ‘subject to reasonable legal requirements and limitations ...
with due regard for the legitimate interests of the individual concerned’. This
provision did not satisfy the necessity test.

To ensure that
the individuals’ rights to access their data and to have data rectified is
protected, in line with Tele2/Watson,
passengers must be notified of the transfer of their PNR data to Canada and of
its use as soon as that information is no longer liable to jeopardise the
investigations being carried out by the government authorities referred to in
the envisaged agreement. In this respect, the agreement is deficient. While
passengers are told that the data will be used for security checks/border
control, they are not told whether their data has been used by the Canadian
Competent Authority beyond use for those checks. While the Court accepted that the agreement
provided passengers with a possible remedy, the agreement was deficient in that
it did not guarantee in a sufficiently clear and precise manner that the
oversight of compliance would be carried out by an independent authority, as
required by Article 8(3) EUCFR.

Comment

There are lots of
issues in this judgment, of interest from a range of perspectives, but its length
and complexity means it is not an easy read. Because of these characteristics,
a blog – even a lengthy blog – could hardly do justice to all issues,
especially as in some instances, it is hardly clear what the Court’s position
is.

On the whole the
Court follows the approach of its Advocate General, Mengozzi, on a number of
points specifically referring back to his Opinion.
There is, as seems increasingly to be the trend, heavy reliance on existing
case law and it is notable that the Court refers repeatedly to its ruling in Tele2/Watson.
This may be a judicial attempt to
suggest that Tele2/Watson was not an
aberration and to reinforce its status as good law, if that were in any doubt.
It also operates to create a body of surveillance law rulings that are
hopefully consistent in underpinning principles and approach, and certainly
some of the points in earlier case law are reiterated with regards to the
importance of ex ante review by independent bodies, rights of redress and the
right of individuals to know that they have been subject to surveillance.

The case is of
interest not only in regards mass surveillance but more generally in relation
to Article 16(2) TFEU. It is also the first time an opinion has been given on a
draft agreement considering its compatibility with human rights standards as
well as the appropriate Treaty base. In this respect the judgment may be a
little disappointing; certainly on Article 16, the Court did not go into the
same level of detail as in the AG’s opinion [AG114-AG120]. Instead it equated
Article 16 TFEU to Article 8 EUCFR, and based its analysis on the latter
provision.

As a general
point, it is evident that the Court has adopted a detailed level of review of
the PNR agreement. The outcome of the
case has widely been recognised as having implications, as –for example –
discussed earlier
on this blog. Certainly, as the Advocate
General noted, possible impact on other PNR agreements [AG para 4] which relate
to the same sorts of data shared for the same objectives. The EDPS made this point too, in the context
of the EU PNR Directive:

Since the functioning of the EU PNR and the EU-Canada schemes are
similar, the answer ofthe Court mayhave a significant impact on the validity of
all other PNR instruments …. [Opinion 2/15, para 18]

There are other
forms of data sharing agreement, for example, SWIFT, the Umbrella
Agreement, the Privacy Shield (and other
adequacy decisions) the last of which is coming under pressure in any event (DRI
v Commission (T-670/16) and La
Quadrature du Net and Others v Commission (T-738/16)). Note that in this context, there is not just
a question of considering the safeguards for protection of rights but also
relates to Treaty base. The Court found
that Article 16 must be used and that – because there was no role for judicial
authorities, still less their cooperation – the use of Article 82(1)(d) is
wrong. It has, however, been used for
example in regards to other PNR agreements.
This means that that the basis for those agreements is thrown into
doubt.

While the Court
agreed with its Advocate General to suggest that a double Treaty base was
necessary given the inextricable linkage, there is some room to question this
assumption. It could also be argued that
there is a dominant purpose, as the primary purpose of the PNR agreement is to
protect personal data, albeit with a different objective in view, that of
public security. In the background, however, is the position of the UK, Ireland
and Denmark and their respective ‘opt-outs’ in the field. While a finding of a
joint Treaty base made possible the argument of the Court that:

since the
decision on the conclusion of the envisaged agreement must be based on both
Article 16 and Article 87 TFEU and falls, therefore, within the scope
of Chapter 5 of Title V of Part Three of the FEU Treaty in so far as it must be
founded on Article 87 TFEU, the Kingdom of Denmark will not be bound, in
accordance with Articles 2 and 2a of Protocol No 22, by the provisions
of that decision, nor, consequently, by the envisaged agreement. Furthermore,
the Kingdom of Denmark will not take part in the adoption of that decision, in
accordance with Article 1 of that protocol. [para 113, see also para 115]

The position
would, however, have been different had the agreement be found to have been
predominantly about data protection and therefore based on Article 16 TFEU
alone.

Looking at the
substantive issues, the Court clearly accepted the need for PNR to challenge
the threat from terrorism, noting in particular that Article 6 of the Charter
(the “right to liberty and security of person”) can justify the processing of
personal data. While it accepted that this resulted in systemic transfer of
large quantities of people, we see no comments about mass surveillance. Yet, is
this not similar to the ‘general and indiscriminate’ collection and analysis
rejected by the Court in Tele2/Watson
[para 97], and which cannot be seen as automatically justified even in the
context of the fight against terrorism [para 103 and 119]? Certainly, the EDPS took
the view in its opinion on the EU PNR Directive that “the non-targeted and bulk
collection and processing of data of the PNR scheme amount to a measure of
general surveillance” [Opinion 1/15,
para 63]. It may be that the difference is in the nature of the data; even if
this is so, the Court does not make this argument. Indeed, it makes no argument
but rather weakly accepts the need for the data. On this point, it should be noted that “the
usefulness of large-scale profiling on the basis of passenger data must be
questioned thoroughly, based on both scientific elements and recent studies” [Art.
29 WP Opinion 7/2010, p. 4]. In this aspect, Opinion 1/15 is not as strong a stand as Tele2/Watson [c.f para 105-106]; it seems that the Court was less
emphatic about significance of surveillance even than the Advocate General [AG
176].

In terms of
justification, while the Court accepts that the transfer of data and its
analysis may give rise to intrusion, it suggests that the essence of the right
has not been affected. In this it follows the approach in the communications
data cases. It is unclear, however, what
the essence of the right is; it seems that no matter how detailed a picture of
an individual can be drawn from the analysis of data, the essence of the right
remains intact. If the implication is
that where the essence of the right is affected then no justification for the
intrusion could be made, a narrow view of essence is understandable. This does not, however, answer the question
of what the essence is and, indeed, whether the essence of the right is the
same for Article 7 as for Article 8. In
this case, the Court has once again referred to both articles, without
delineating the boundaries between them, but then proceeded to base its
analysis mainly on Article 8.

In terms of
relationship between provisions, it is also unclear what the relationship is
between Art 8(2) and Art 52. The Court
bundles the requirements for these two provisions together but they serve
different purposes. Article 8(2) further elaborates the scope of the right;
Article 52 deals with the limitations of Charter rights. Despite this, it seems that some of the
findings will apply Article 52 in the context of other rights. For example, in
considering that an international agreement constitutes law for the purposes of
the EUCFR, the Court took a broader approach to meaning of ‘law’ than the
Parliament had argued for. This however
seems a sensible approach, avoiding undue formality.

One further
point about the approach to interpreting exceptions to the rights and Article
52 can be made. It seems that the Court has not followed the Advocate General
who had suggested that strict necessity should be understood in the light of
achieving a fair balance [AG207].

Some specific
points are worth highlighting. The Court held that sensitive data (information
that reveals racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership, information about a person’s
health or sex life) should not be transferred. It is not clear what
interpretation should be given to these data, especially as regards proxies for
sensitive data (e.g. food preferences may give rise to inferences about a
person’s religious beliefs).

One innovation
in the PNR context is the distinction the Court introduced between use of PNR
data on entry, use while the traveller is in Canada, and use after the person
has left, which perhaps mitigates the Court’s acceptance of undifferentiated
surveillance of travellers. The Court’s
view of the acceptability of use in relation to this last category is the most stringent. While the Court accepts the link between the
processing of PNR data on arrival, after departure the Court expects that link
to be proven, and absent such proof, there is no justification for the
retention of data. Does this mean that on departure PNR data of persons who are
not suspected of terrorism or transnational crime should be deleted at the
point of their departure? Such a requirement surely gives rise to practical
problems and would seem to limit the Court’s earlier acceptance of the use of
general PNR data to verify/update computer models [para
198].

One of the
weaknesses of the Court’s caselaw so far has been a failure to consider
investigatory techniques, and whether all are equally acceptable. Here we see the Court beginning to consider the
use of automated intelligence techniques.
While the Court does not go into detail on all the issues to which
predictive policing and big data might give rise, it does note that models must
be accurate. It also refers to Article
21 EUCFR (discrimination). In that this
section is phrased in general terms, it has potentially wide-reaching
application, potentially even beyond the public sector.

The Court’s
judgment has further implications as regards the sharing of PNR and other security
data with other countries besides Canada, most notably in the context of EU/UK
relations after Brexit. Negotiators now have a clearer indication of what it
will take for an agreement between the EU and a non-EU state to satisfy the
requirements of the Charter, in the ECJ’s view. Time will tell what impact this
ruling will have on the progress of those talks.

1 comment:

A very informative read. Yes, serious crimes of terrorism while traveling has become a top of mind concern for all travelers these days, especially while traveling with families. While certain measures are absolutely needed, we have also witnessed many rather unnecessary security measures which perhaps should be more thought out before being imposed.